Aka vSphere Hardening – Part 3
In my previous post in this series, I presented an overview of some tools that can help you in assessing your environment. The free compliance checkers, like the “vSphere 5.0 VMware Hardening Guidelines Checker” receive a lot of attention and various blog posts are available.
In this post, I will focus on the vCenter Configuration Manager (vCM). vCM is a component of vCOM (vCenter Operations Management Suite), other components of this suite are:
- vCenter Operations Manager (I think the best known part of the suite).
- vCenter Infrastructure Navigator.
- vCenter Chargeback Manager (for more info, start reading here).
- vFabric Hyperic (application monitoring for custom web applications)
vCM is from the acquisition of Configuresoft and has a lot to offer. vCM integrates with vCenter and vCloud Director, covers both physical and virtual systems and is really helpful for compliance management. It can automate the deployment of operating systems, deploy application packages and vCM includes many ready-to-use templates, like PCI, HIPAA and guidelines from VMware and Microsoft.
After a little search on the Internet, I was surprised at the limited amount of information available about this product.
Besides the official VMware product documentation, I found one public available video highlighting vCMs Change Management capabilities. For those of you who have access to the VMworld 2013 content, session VCM 4838 “Automating IT Configuration and Compliance Management for Your Cloud”, presents vCM compliance checking capabilities.
The current vCM 5.7 version was released July 25th 2013. It is no surprise, that vCM has a lot more features than our initial goal, as we will see later on.
In this post and following episodes, I will show you the installation and configuration of vCM and its capabilities to perform a security assessment.
The central resource from where you will find all necessary documentation and product downloads is here.
Other than the vCenter Operations Manager, vCM does not come as an appliance (which is a shame). We start by downloading the vCM, named “VMware-VCM-126.96.36.199.iso”. Note that there is also a second .iso for the OS provisioning server. At this moment we do not need that one.
IT guys tend to skip reading installation guides; the good news is that vCM comes with two Installation Guides. Why is that?
vCM has three main components:
- VCM Collector
- SQL Server
- Web Server (IIS)
vCM can be installed as 1-tier, 2-tier or 3-tier application. Split installations are useful when, for example, site policies limit a VCM user’s access to a database server or Web server.
In case you need to install the 3-tier configuration, read the “Advanced Installation Guide”. For the other configurations, the “Installation Guide” will do. I must say, the installation guides contain very detailed information on sizing different configurations. If you are going to install vCM in production, these guides are a must read.
We are setting up vCM for evaluation purposes, so we try to keep things as simple as possible and choose the 1-tier configuration.
Besides the vCM .iso, what more do we need to install vCM?
- VCM domain accounts. Although the documentation suggests creating a range of domain account, we start by creating a single domain account, called: VCMadmin.
- Windows 2008 R2 Server.
- SQL Server 2008R2 Standard or Enterprise.
- SQL Server Management Tools
Resources in home lab are scarce, so I have created a VM with the following minimal configuration:
- 2 vCPU
- 6 GB Memory
- Disk 1 = 40 GB
- Disk 2 = 20 GB
- 1 DVD drive
- 1 NIC in same network as vCenter server and ESXi servers.
First step, Decide on a valid DNS computer name with no underscores for use when the Windows installation prompts for a machine name. It is not recommended to rename the machine name after installation. In my case; VCM.
Register the machine name in DNS.
Install Windows Server 2008 R2 on the newly created VM. The installation is standard. You can configure Regional and Language options, administrator account etc. When done do not forget to set the time zone and the correct computer name.
After finishing the Windows installation, make sure that the Remote Desktop Session Host is Disabled.
Join the new server to the Windows domain and reboot.
Add the VCMadmin account to the Local Administrators Group.
Log out and log in with the VCMadmin account. You must use this account for the installation of vCM.
Mount the downloaded vCM .iso file.
Start the vCM installer.
Choose the “Typical Installation”.
Select “I accepted …”, place a thick at “I am …” and “I have …” and continue. A progress bar appears while the installer is checking your system for the prerequisites as mentioned before.
After completing all tests, continue by clicking “Next” and review the results.
As you can see, most of the prerequisites still have to be fulfilled, before we can start the installation. The installer is very helpful with the installation of the missing pieces, although Internet access is essential.
In case you did not install MS SQL Server, click the “Install a New Instance” button, point to the installation files and start the installation. In case you do not have these files, you can download an evaluation version from Microsoft.
In my case, I installed an already available MSDN version of MS SQL 2008 R2. Note that vCM does not support the MS SQL Express edition, as with e.g. vCenter Server.
The installation of MSSQL Server 2008 R2 is straightforward, a brief summary:
- Setup Roles, select SQL Server Feature Installation.
- Feature Selection, select Database Engine Services, Reporting Services, Client Tools Connectivity and Management Tools – Complete.
- Instance Configuration, select Default Instance.
- Server Configuration, “Use the same account for all SQL Server services”.
- Database Engine Configuration, Account provisioning ta, select “Mixed Mode” provide a password for the SA account. Add the VCMadmin account to the SQL Server administrators.
Data Directories tab, I like to place data files not on disk c:. We have added a second disk for the data files.
- Reporting Services Configuration, select “Install the native mode default configuration”.
After the installation has finished, under “VCM Database Server”, enter (local), and press the “Validate” button.
Check the URL for the Reporting Services,
format like: http://VCM:80/ReportServer and Validate.
The result should look something like this:
Next on the list are the SQL Server Support Components. Press the “Install …” buttons. Also for these components, you have the option to download and install the components.
When all components are installed, you can run a recheck, by pressing the button; the result should look like this.
After pressing “Next”, we proceed to the next window.
Enter a License key; in my case I used a vCenter Operations Manager Enterprise Suite key (evaluation).
Under VCM Accounts, select “Use Built-in Accounts”.
Under Install Path, Accept the default value or change (in my case, I prefer disk D)
Place a tick at “Use HTTPS …” and start the installation by pressing the Install button.
Part of the installation is the configuration of IIS.
After some time, the installation is complete. To launch the VCM Web Console, place a tick and Exit the installation.
In the next part, we will continue with the initial configuration of vCM.
Fabio Rapposelli at p2.it, put together a PowerShell script that can verify and remediate the prerequisites for the installation of vCM. You can find it here.
As always, I thank you for reading, and I welcome your comments.
This post is the third part in a series about vSphere hardening. See also:
Part 1 vSphere Hardening, Introduction
Part 2 vSphere Hardening, Available Tools
Part 3 vCenter Configuration Manager – Installation
Part 4 vCenter Configuration Manager – Configuration
Part 5 vCenter Configuration Manager – The Videos
Part 6 vCenter Configuration Manager – First Run